Lots of recent projects have shown that modern automobiles, because of their heavy reliance on computerised components and internet connectivity, can be abused, manipulated and taken over by a hacker with enough determination. But a new, freely downloadable book presents car hacking in a more positive light, as a way to check the security of your own vehicle.
The aptly titled the Car Hacker's Handbook 2014 opens with, “Congratulations! You just purchased your first real Owners manual.” It continues, “This manual doesn't focus on what all those dashboard lights are, but on how to control them.” If you read all the way through, and understand its content, “it will detail how to perform a full security evaluation of your vehicle.” In other words, hack it.
The author is Craig Smith, a security researcher at Theia Labs and part of OpenGarages, a group of vehicle modding enthusiasts. Smith is looking for guest authors for future versions of the handbook. “Car hacking is a group activity and we welcome all feedback,” he writes.
Smith told me over email that he devised the guide as a teaching device. “With the increasing interest in car hacking, I have been giving classes teaching people how to get started. This book was designed as the course book that also would fit in the glove box," he said.
“I firmly believe that if you buy something it is your right to take it apart, see how it works, and modify it if you want,” he continued. “In the internet world, it is common to test security. As devices become connected we need to verify they are safe for the consumer. Cars are especially important because of the obvious safety ramification if security is overlooked.”
There are sections on vehicle communication systems, attacking key fobs and immobilizers, and setting up a suitable hacking garage. Basically, everything you need, although the manual doesn't hold your hand and expects you to already know what you're talking about to some extent.
Indeed, Smith doesn't expect people to just download his book randomly. “Honestly, if you are holding this manual I would hope you would have a clue why you are doing so,” he writes. Just in case you've forgotten, or perhaps to help with responses to those who question why you spend your free time exploiting your car's security systems, he provides a list of reasons for car hacking. Benefits include understanding how your vehicle works, discovering new features, and “validating” the vehicle's security, to name a few.
This last section may be the most important. “As of writing, the safety guidelines for vehicles do not address threats of malicious electronic nature. While vehicles are susceptible to the same malware your desktop gets, auto-makers are not required to audit the security of their electronics,” the manual explains.
But while the manual is written as if you're checking out your own car, isn't there a risk hackers with malicious intent could use it to target others? Smith said he thought it unlikely someone would go to so much trouble. "It's like picking locks. Sure you could be a malicious lockpicker, but a real criminal just breaks the glass. There are a lot easier ways to harm people with cars than reversing the firmware," he said.
A motivation for many car hackers, Smith included, is more like the opposite: to spur the car manufacturing industry to be better prepared against cyberattacks. "Publishing on how to research vehicles does not decrease safety. Vulnerabilities exist and the more people know how to identify them the more likely they are to be reported and fixed," he said.
He told me he does think the industry takes the issue seriously. “The problem is that some of them don't know how to embrace the public. In order to stay on top of things in the internet-connected world, you need to be able to quickly and securely update your systems. Many car companies are just not there yet.”
I think keeping the problem secret doesn’t actually help keep people safe.
Nearly a year ago, Chris Valasek and Charlie Miller, the researchers who electronically commandeered a Ford Escape and a Toyota Prius, published the grit of their study for anybody to see. That was partly a push to get Ford and Toyota to examine their own cars and see what problems needed to be solved. “I think keeping the problem secret doesn’t actually help keep people safe,” Miller told me at the time. “Maybe it does in the very, very short term, but in the longer term the best approach is to find the problems and to discuss them and get them fixed, rather than trying to hide them.”
I asked Miller what he thought about the Car Hacker's Handbook. “It seems a little short on details,” Miller said in an email, “but gives a nice overview of everything car hacking related. I'd definitely recommend it to someone getting interested in this field.”
After Miller's and Valasek's project, Senator Edward Markey sent a letter to auto-makers demanding some answers about their security practices, but the manufacturers didn't do much.
Earlier this week in Wired, Miller and Valasek detailed a new device to foil the attacks they originally exposed; an anti-hacking tool. The duo's gadget isn't actually for sale; it's just to demonstrate how easy it would be for car manufacturers to make one.
According to Smith, some change from the industry is coming. “We are starting to see manufacturers put up web pages instructing people how to submit findings and even give rewards. This is great!”
Smith was referring Tesla, which allows hackers to report any vulnerabilities they find via their website. “The auto industry is interested, just some move faster than others,” Smith said. “This type of public communication helps bring back innovation to the car industry.”
Perhaps the Car Hacker's Handbook will encourage more people to crack their cars, and in the process, attract more interest from auto-makers too.